sxadm - manage Solaris security extensions configuration
sxadm enable [-c property=value[,property=value,...]] extension[,extension,...] sxadm delcust [extension,...] sxadm disable extension[,extension,...] sxadm get [-p] [-o "all" | field[,...]] <"all" | property[,...]> [extension] sxadm help [subcommand] sxadm set property=value[,property=value,...] extension sxadm status [-p] [extension]
sxadm exec [-s extension=value],... command
The sxadm command configures and provides information regarding Solaris security extensions. These extensions can be applied at the system level, or at the process level.
Security extensions for a process are determined by exec(2), and become effective for a process from that point forward. Extensions persist for the lifetime of the process until the process exits or calls exec(2) again. System level extensions can affect all processes. Process level extensions affect individual processes, and are inherited by any child processes, providing the child process is not privileged. See SECURITY EXTENSIONS.
Individual executables can be tagged with security extension requirements when built with ld(1). This tagging ensures the associated process requirements are met regardless of any system level extensions. Executables with tagged security extensions can be overridden with process level extensions. See EXECUTABLE TAGGED EXTENSIONS.
The following security extensions are available. These extensions reduce the chances of attackers finding known entry points, or planting exploitation code in locations that can later be executed.
ASLR activates the randomization of the location of key areas of the process, such as the stack, brk-based heap, and memory segment mappings. The memory mappings of an application that is built as a position-independent executable are also randomized under ASLR.
NXHEAP prevents pages allocated for the process heap from being executable.
NXSTACK prevents pages allocated for the process stack from being executable. Backward compatibility with legacy /etc/system noexec_user_stack and noexec_user_stack_log settings is maintained, although such controls are deprecated and sxadm should be used instead.
By default, the global zone and all non-global zones have the ASLR and NXHEAP extensions enabled only for tagged binaries, while the NXSTACK extension is enabled for all processes.
A security extension can have one or more properties. All extensions have a model property. This property defines what the extension is applied to. Following are the model properties that exist.
Enable the security extension for all processes.
Enable the security extension for tagged binaries.
Follow the security extension system default. See SECURITY EXTENSIONS.
Security extensions may have additional properties.
NXHEAP and NXSTACK provide a logging property, which, when enabled, reports attempts to execute from non-executable memory ranges (stack for NXSTACK, heap and data for NXHEAP).
Disable logging. (Default configuration)
Security extensions can be modified system wide using the sxadm subcommands enable, disable, set, and delcust. For example, the following sxadm commands enable extensions system wide:
% sxadm enable nxstack % sxadm enable aslr,nxheap
The following sxadm command also enables extensions system wide but by specifically identifying each property:
% sxadm enable -c model=all aslr % sxadm enable -c model=all -c log=enable nxstack
Security extensions can also be enabled or disabled for a process using the sxadm subcommand exec. This subcommand only affects the status of the security extension. Any other properties of the extension are inherited from the system properties. The following sxadm command ensures the foobar process executes with disabled extensions:
% sxadm exec -s aslr=disable -s nxheap=disable foobar
Individual executables can be tagged with security extension requirements when built with the following ld(1) options:
Control ASLR tagging.
Control non-executable heap tagging.
Control non-executable stack tagging.
The mode can be enabled or disabled. If the mode is not supplied, then enabled is the default.
The security extension defined within a tagged executable interacts with any system wide security settings in the following manner.
An executable with an enabled, or disabled security setting is honored without consulting the system security setting. Process level security settings override tagged executable settings.
Only executables that have a tagged security setting are honored when the system security setting is tagged-files.
The sxadm command has the following subcommands:
Enable the specified extension for the current zone. The –c option allows sxadm to pass property values for the specific extension.
Restore the extension to the default configuration. This option effectively deletes any customizations.
Disable the specified extension for the current zone.
Display usage information about sxadm or more detailed information for each subcommand.
Report information on the status of all security extensions for the current zone. If –p is specified, the output is displayed in an easily parseable format. Specifying an extension on the command line filters for the specific extension. Machine parseable output is a list of colon-separated fields:
extension:status (model):configuration (model)
The name of the extension
The current status for the extension (enabled or disabled)
The current model enabled for the security extension (all, default, tagged-binaries)
The stored configuration for the extension (enabled, disabled, or sys- tem default)
The characters colon (:), null sign (\0), and newline (\n) are not permitted for any of the components, extension_name, status, extra, and configuration.
Display the value of security extensions properties. If extension is specified, display the value of the property only for the specified extension. Specify "all" to display properties associated to all sections. For each property, the following columns are displayed:
extension: the extension the property refers to name: the name of the property value: the value of the property
All columns are displayed by default; specify particular or all columns, using the –o option. If –p is specified, the output is displayed in an easily parseable format. Such format is a list of colon-separated fields:
The characters colon (:), null sign (\0), and newline (\n) are not permitted for any of the components.
Assign value to the property of the specified extension.
Execute the specified command with a specific configuration for security extensions. For each security extension not explicitly configured on the command line, the system configuration is used. Child processes eventually spawned by command inherit the same security extension configuration that is specified on the command line. setuids and privileged binaries do not inherit any configuration. Multiple configurations can be expressed from the command line using multiple –s options. If the same extension is configured more than once, the last occurrence takes precedence. In the following example, foobar is executed with ASLR enabled:
% sxadm exec -s aslr=disable -s aslr=enable foobar
The sxadm exec subcommand is designed to accommodate the common case in which a debugger is applied to a single process started directly by the debugger. It may not be sufficient for more complex scenarios. In such cases, it may be necessary to use sxadm to change the system or zone level security extension defaults, or to apply per-object tagging using the ld(1) utility, in order to facilitate debugging.
This feature is primarily of interest when extensions based on a randomized secret are active (for example, ASLR), since changing memory addresses can complicate some debugging scenarios. This feature is also useful for explicitly testing applications with different security extension configurations.
$ sxadm status -p aslr:enabled (tagged-files):system default (default) nxstack:enabled (all):system default (default) nxheap:enabled (tagged-files):system default (default) $ $ sxadm status EXTENSION STATUS CONFIGURATION aslr enabled (tagged-files) system default (default) nxstack enabled (all) system default (default) nxheap enabled (tagged-files) system default (default) $Example 2 Use set/get to set/retrieve Security Extensions Properties
$ sxadm get model aslr EXTENSION PROPERTY VALUE aslr model tagged-files $ $ sxadm set log=enable nxheap $ sxadm get log nxheap EXTENSION PROPERTY VALUE nxheap log enable $Example 3 Running a Debugging Session
The following command sequence illustrates a debugging session being conducted with ASLR disabled.
$ sxadm exec -s aslr=disable /bin/bash $ # Because all processes (except privileged ones) inherit the(disabled) # ASLR configuration mdb, truss & co will have repeatable results. $ truss -t mmap /bin/true mmap(0x00000000, 32, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0) = 0xFE5B0000 mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0) = 0xFE5A0000 mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0) = 0xFE590000 [...] $ truss -t mmap /bin/true mmap(0x00000000, 32, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0) = 0xFE5B0000 mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0) = 0xFE5A0000 mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0) = 0xFE590000 [...] $ truss -t mmap /bin/true mmap(0x00000000, 32, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0) = 0xFE5B0000 mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0) = 0xFE5A0000 mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0) = 0xFE590000
The command completed successfully.
The command exited due to an error.
See attributes(5) for descriptions of the following attributes: